OPM Plans Large Database of Health Records

A federal agency recently announced that it plans to create a database containing copies of detailed electronic health records on potentially several million Americans. A little-noticed section of this year’s health reform legislation gave the Office of Personnel Management (OPM) authority to create the database, called the Health Claims Data Warehouse.

The Center for Democracy & Technology (CDT) issued a letter to OPM arguing that this government database is unnecessary and violates the public’s privacy expectations. OPM is accepting comments from the public on the database until November 15th, which is the date the program launching the database will begin – unless OPM receives enough comments convincing it to do otherwise. OPM has informed CDT that it plans to release a revised notice in response to our letter that should provide the public with more details on the program. We look forward to reviewing the revised SORN to assess whether it addresses the issues raised below.

Want to send OPM a comment on the health records database? Email OPM here, or contact them at 202-606-1449 for more information.

A description of the Health Claims Data Warehouse

The personal records in the Health Claims Data Warehouse would include Social Security Number (SSN), information on spouses, children, and employment, as well as health care coverage, procedures, diagnoses, and payments. OPM stated that the purposes of the database would include sharing personal information

With law enforcement agencies for prosecutions and investigations of possible violations of laws or regulations;

With researchers inside and outside the federal government;

With members of Congress, at the request of the individual;

With federal agencies, courts, and other parties during litigation or administrative proceedings;

To actively manage the three health care programs, analyze health trends and pharmacy pricing; and

For “other purposes.”

To fill the Warehouse, OPM wants to set up data feeds to copy detailed individual health records from three major health insurance programs: the Federal Employee Health Benefit Program, the National Pre-Existing Condition Insurance Program, and the Multi-State Option Plan. The first program covers federal employees and their family members. The other two programs were created by the health reform legislation and are not limited to government employees.

According to OPM’s announcement, the patient records would be held for seven years “in a secured database on a secured system,” and that access to the database would be restricted to employees with the right clearance and “a need to know to perform their official duties.” The notice includes a general statement that the data will be de-identified “in many instances.” OPM’s announcement gives almost no other information on how it will protect individuals’ privacy.

Problems with the Health Claims Data Warehouse

CDT issued a letter to OPM to urge the agency to reconsider its plans. CDT’s letter argues that OPM should leave personal data where it is originated instead of copying it into a single, government-run database. CDT also argues that OPM should release much more detail on how the information will be used and protected, and why the database is necessary at all. If OPM needs physical possession of the health records, the agency should explain why.

The Health Claims Data Warehouse would violate Americans’ expectations of privacy in their health records. Most people likely expect that their health plans keep records about their medical claims and payment information. However, people are almost certainly unaware that a government agency intends to collect such detailed and sensitive information about them into a single database, which can then be shared with law enforcement and researchers. This action undermines the public’s trust in the confidentiality of health records, which (as the as the Dept. of Health and Human Services has noted on numerous occasions) is foundational to the health care system.

Although OPM’s announcement states that the individual data will be de-identified “in many instances,” OPM gives no details on what that means. OPM does not explain what information will be stripped from the records or whether the de-identification method meets the legal standards in HIPAA (the nation’s foremost health privacy law). Nor is there any indication as to why OPM cannot de-identify the data for all specific uses. De-identification of data does not make the data risk free, however. Changes in society and technology have made re-identification of de-identified health information easier and cheaper than ever before. Moreover, health plans already have broad discretion to release de-identified data for a variety of purposes, so it is unclear why OPM must get involved in this business directly.

Finally, OPM’s announcement contains blanket statements regarding how the agency will disclose personal health information for research. In most circumstances, the law requires health care plans and providers to obtain an individual’s express permission before using identifiable data for research. Yet OPM gives little indication regarding what types of research will be permitted or prohibited, and whether individuals will have any choice in participating in the research. It would be irresponsible for OPM to move forward with this proposal without more details.

An alternative

The Health Claims Data Warehouse appears to be unnecessary to accomplish the purposes OPM lists in its announcement. The law already gives law enforcement agencies, researchers, and courts the authority to obtain patient information from health plans under certain circumstances. OPM can use its authority to require health plans participating in these programs to run analyses on the data to evaluate health trends. Since the Health Claims Data Warehouse itself appears to be unnecessary to accomplish the purposes OPM lists in its announcement, the primary purpose of the database seems to be administrative convenience. That is, law enforcement, researchers, and other bodies would be able to go directly to OPM’s single, large database rather than requesting data from multiple health plans, as they can now.

OPM should instead consider effective alternatives that would not violate the public’s privacy expectations and would not create unnecessary privacy and security problems. As noted above, an alternative would be to leave identifiable personal data where it is generated (with the health plans), and ask the plans to perform critical analyses. The Food and Drug Administration already operates a similar system, called the Sentinel Initiative. This option would be a closer fit with patient privacy expectations, leverage existing databases rather than creating new ones, and reduce security risks. If this alternative is not feasible, OPM should explain why.

CDT urges OPM to consider a query system as an alternative to the Health Claims Data Warehouse. At very least, OPM’s revised SORN should provide the public with much more detail on how it will protect the privacy and security of patients’ data. It would also be helpful if OPM could clarify whether it is truly necessary to construct this government database of health records – and whether OPM thinks the convenience of another database is worth further undermining the public’s trust in health privacy.